I like to analyse the ICO’s undertakings and enforcement notices to see whether there are lessons you can learn from other people’s unfortunate mistakes.
Last year the Orbit housing association moved offices and in the process sold-off some of their surplus-to-requirments filling cabinets. The problem was that there were some 57 files left in them. With 42 recovered that left 15 customers’ files in the wild. The ICO insisted on an undertaking (PDF).
I resisted pointing out the obvious — that this was a bad idea — and reminding people that it is important to involve your DPA or security manager in office moves, and embedding DPA considerations into your business change process.
However a couple of weeks ago Lancashire County Council left some social work records in an old filing cabinet that was bought by a member of the public. Again the ICO required an undertaking (PDF).
There’s a couple of lessons to take for these two incidents.
- It is worth reminding everyone in the organisation that the data protection act applies to paper files that contain personal data. Just emphasising this in the next DPA or security training my help someone stop and think.
- Make sure that there’s a DPA or security check in all of your business change processes.